Attestation

Fetch a cryptographic proof that the API endpoint is the genuine Tresor router running in a Confidential VM.

Endpoint

GET /attestation

Returns the live attestation envelope for the router pod that served the request. Customers verify this envelope against a signed trust bundle (released out-of-band) to pin their HTTPS traffic to a specific enclave measurement and TLS public key.

For the threat model, ceremony, and verifier algorithm, see Concepts → Attestation.

Response

200 OK with Content-Type: application/json. All hex fields are lowercase.

{
  "schema": "tresor.attestation/v1",
  "workload": "router",
  "snp_report_b64": "PHNucCByZXBvcnQuLi4+",
  "vcek_chain_pem": "-----BEGIN CERTIFICATE-----\n...",
  "tls_spki_sha256": "9b8c…",
  "workload_identity_tag": "a1b2…",
  "workload_identity_manifest_jws": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLiJ9.eyJzY2hlbWEiOiJ3b3JrbG9hZC1pZGVudGl0eS92MSIsIndvcmtsb2FkIjoicm91dGVyIiwidmVyc2lvbiI6InYxLjQyLjMiLCJpbWFnZV9kaWdlc3QiOiJzaGEyNTY6Li4uIn0.…",
  "trust_bundle_url": "https://trust.tresor.co/api/router.json",
  "issued_at": "2026-04-01T12:00:00Z",
  "max_age_seconds": 600
}
FieldDescription
schemaAlways tresor.attestation/v1. Increment on breaking envelope changes.
workloadLogical workload name (router).
snp_report_b64Standard-base64 of the AMD SEV-SNP attestation report (binary, ≈ 1 184 bytes).
vcek_chain_pemPEM-concatenated VCEK + ASK + ARK certificates issued by AMD for the host CPU. May be empty in dev mode.
tls_spki_sha256SHA-256 of the leaf TLS certificate's SubjectPublicKeyInfo (DER), 64 hex chars. Customers compare to the live SPKI of the connection.
workload_identity_tagSHA-256(workload_identity_manifest_jws_bytes), 64 hex. Stable per release; baked into the binary at build time. Folded into the SHA-384 qualifyingData of the TPM quote, so a different binary cannot impersonate the endpoint without minting a new TPM-signed quote.
workload_identity_manifest_jwsCompact JWS over payload schema workload-identity/v1 (workload, version, image_digest, binary_digest, build_metadata). Signed by the workload-manifest key named in trust_bundle.delegated_keys.workload_manifest; for legacy bundles without that field, signed by the release-root key directly. Verifiable client-side using whichever key the bundle authorises (the tresor-attest SDKs ship a pinned release-root pubkey and read the delegated key out of the verified bundle). May be empty in dev/unsigned mode.
trust_bundle_urlWhere to fetch the JWS-signed trust bundle that lists the allowed measurements, identity tags, and TCB floor.
issued_atRFC 3339 UTC timestamp of envelope generation.
max_age_secondsRecommended client cache TTL for the envelope.

The SNP report's first 32 bytes of REPORT_DATA are bound to:

SHA-256( hex_decode(tls_spki_sha256) || hex_decode(workload_identity_tag) )

so a substituted certificate or a different binary cannot impersonate the endpoint without a matching valid SNP report.

Errors

StatusBodyMeaning
503{"error":"attestation_unavailable"}Router could not capture or refresh evidence.

Caching

The envelope is cached per pod and refreshed on a fixed cadence. Clients should cache for max_age_seconds and re-fetch on any TLS-handshake-level certificate change.

See also